Making headlines are more and more ransomware attacks on healthcare providers - including one on Grays Harbor Community Hospital and its medical group involving a $1 million ransom demand. Also in the news week after week are reports on additional organizations affected by the mega-breach at American Medical Collection Agency - a debt collector vendor (until recently, anyway) for many of the country's largest medical laboratories.

Ransomware Attacks

Aberdeen, Washington-based Grays Harbor Community Hospital, which on Wednesday issued a statement revealing that it was still struggling to recover access to parts of its electronic medical records databases following a ransomware attack in June, said it had refused to pay a ransom to unlock its data at the advice of the FBI.

The hospital confimed to me Friday that the attackers had demanded a $1 million ransom. Ouch!

"In my experience and to my knowledge, this would be a very large ransom," former healthcare CIO David Finn, an executive vice president at security consultancy CynergisTek, tells me. "Early numbers in 2019 indicate the average ransomware demand reported to [breach response services provider] Beazley's research team was $224,871."

Finn says that in most ransomware attacks on healthcare entities, ransom demands have ranged "from the thousands to the tens of thousands of dollars. That said, the total take [by cybercriminals] from ransomware is in the billions."

Even the bad guys understand market forces, he notes. "The important thing here is that people pay the ransom, so we keep seeing ransomware attacks. We've also seen strong growth in ransomware-as-a-service, so we are seeing more ransomware and higher demands."

Sometimes cybercriminals increase their ransom demands after learning more about an organization that fell victim to their ransomware, notes Keith Fricke, principal consultant at tw-Security. "Criminals may expect that a larger organization can afford a higher ransom fee," he says.

Shake Down

But as I've also previously reported, it's not just bigger healthcare organizations that are being targeted by ransomware attacks.

For example, Lebanon, Connecticut-based Southeastern Council on Alcoholism and Drug Dependence refused to pay a $1,800 ransom, but racked up about $100,000 in remediation and breach notification expenses in the aftermath (which were thankfully expected to be covered by cyber insurance.)

"Paying ransom is never a good idea - that is what drives the increasing attacks," Finn says. "It is, unfortunately a lucrative business. To break that cycle everyone will need to stop paying ransom."

But making the decision to skip paying a ransom and instead struggle to recover is difficult for many organizations, Finn says. "In healthcare, it really could be a matter of life and death in the most extreme situation" if patient records and other critical data are locked up and made inaccessible by attackers, he tells me.

Vendor Risks

Details about the cyberattack on AMCA are sketchy at best. The company told the lab companies that it serves that unauthorized access to AMCA's systems occurred between Aug. 1, 2018, and March 30, 2019.

Each week, new victim companies emerge with statements that they, too, were affected by the AMCA breach. The tally of those victimized now includes at least 21 companies and more than 24 million patients. And more victims could be added to the list in the weeks ahead.

One of the most important lessons to be learned from the AMCA breach is that healthcare organizations should perform a risk assessment of their vendors' information security practices, privacy attorney David Holtzman, a former senior adviser at the Department of Health and Human Services' Office for Civil Rights, tells me.

"The more access an organization has to your information system or the sensitivity of the data, the more comprehensive and thorough the examination," Holtzman says.

"Just as important is to require a vendor to identify and perform a vendor management assessment of the subcontractors they hire to create or maintain your organization's personally identifiable data."

Where Are The Feds?

The AMCA breach has had a significant impact on the collection agency and its parent company, Retrieval-Master Creditors Bureau, which is facing bankruptcy and dozens of class action lawsuits.

While a handful of U.S. senators and state attorneys general have said they've launched investigations into the AMCA incident, Holtzman tells me he's concerned about the apparent lack of regulatory action by federal enforcement authorities.

"As the scope and size in the sheer numbers of individuals affected by the AMCA breach continue to grow, I am becoming concerned over the perceived lack of engagement by OCR and the Federal Trade Commission," he says.

"On first glance, these agencies share jurisdiction over AMCA's activities as a credit collection agency and in providing services to HIPAA covered entities. However, neither OCR nor FTC have come out publicly on what action they are contemplating. And just as importantly, there has been no advice to consumers who have been directly impacted by this breach on the steps they should take to protect themselves from identity theft or financial fraud."

So, how will the AMCA breach saga play out? And how will ransomware attacks evolve? I invite you to comment below.

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.